Errors authenticating with your LDAP user account in the Puppet Enterprise console after generating a new self-signed certificate for your directory server

After generating a new self-signed certificate for your directory server, you try to log in to the console with your LDAP user account and get a fatal error.

Error messages and logs

These errors might occur when an expired certificate is configured to authenticate SSL connections for the directory server or when the certificate path or credentials for a new certificate are misconfigured in PE or in the Java keystore file (.jks)

In the console in External directory:

Something unexpected occurred: {"kind":"puppetlabs.rbac.ldap/ldap-exception","msg":"Encountered fatal error when communicating with directory service: server down (code 81). Check the logs for more information.","error-code":81}

In console-services.log:

Key Text : "javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException"

"WARN [p.r.h.middleware] POST /rbac-api/v1/auth/token com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to send the LDAP message to server openldapServername:port: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sun Mar 17 08:06:30 PDT 2019 caused by java.security.cert.CertificateExpiredException: NotAfter: Sun Mar 17 08:06:30 PDT 2019:"

Version and installation information

PE version: All supported versions

Solution

Check that the connection and authentication with your external directory are configured correctly using the following steps.

Note: To complete the steps in this article you must download and install the Java Development Kit (JDK) on your local machine. We cannot troubleshoot third-party software.

Part one: Ensure that the path to the directory server’s certificate is configured correctly in PE.

Verify directory server certificates for Puppet Enterprise. To check your Java keystore file in the following steps, note the path set in rbac_ds_trust_chain.

Part two: Ensure that your authentication credentials are configured correctly

To be able to communicate with the external directory service, either PE must be configured to use SSL to connect to the directory service or the path to the certificate for the directory service must be set. in your Java keystore file (.jks).

1. Log in to the primary server (called the master in older versions of PE). Navigate to /opt/puppetlabs/server/data/console-services/rbac and check if there is a .jks in the directory.

   If there is no .jks file:

   Confirm that SSL is enabled. In the console, click Access control > External directory. Ensure that Connect using: is set to SSL

   If there is a .jks file:

   A. Make a copy of the .jks file and move it to your local machine.

   B. Open the .jks file with the java keytool by running keytool -list -v -keystore <JKS FILE NAME>.jks. When you are prompted for a password, press Enter (or Return) to view the contents of the file, since no password has been set.

   C. Check the contents of the .jks file.

   1. Check Alias Name. Make sure that from pathToMyCert matches the path of the rbac_ds_trust_chain.

   2. Check Valid from. Make sure that Until is a valid date in the future.

   If this information matches, it confirms that the certificate exists and is configured correctly for the LDAP server.

Check other servers and restart services

1. Make sure the certificate value and content of rbac_ds_trust_chain on the primary server matches the configuration of other servers in your infrastructure.

2. If you didn’t restart OpenLDAP server services after putting the new certificate in place, restart them.

3. If you made changes to the certificate, restart pe-console-services.

In the console, confirm that you can connect to the external directory service. If you can’t, please open a ticket.